W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 16:38:40 -0800
Message-ID: <7789133a0902111638x573ee073x7e2e2a4afda34f83@mail.gmail.com>
To: Breno de Medeiros <breno@google.com>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>

On Wed, Feb 11, 2009 at 4:00 PM, Breno de Medeiros <breno@google.com> wrote:
> All of the above systems target browsers and none have the usage
> requirements of the proposed spec.

The point is there are enough HTTP servers on the Internet that let
uses upload content in this way that these vendors have added strict
Content-Type processing to their metadata mechanisms.  If you don't
even warn consumers of your spec about these threats, those folks will
build applications on top of host-meta that make these servers
vulnerable to attack.

Adam
Received on Thursday, 12 February 2009 00:39:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT